Workreap - Freelance Marketplace and Directory < 2.6.3 - Subscriber+ Private Message Disclosure via IDOR
CVE-2022-3846

7.5HIGH

Key Information:

Vendor: Wordpress
Status: Workreap
Vendor: CVE Published:; 5 December 2022

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2022-3846?

The Workreap WordPress theme before 2.6.3 has a vulnerability with the notifications feature as it's possible to read any user's notification (employer or freelancer) as the notification ID is brute-forceable.

Affected Version(s)

Workreap 0 < 2.6.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-3846 - Proof of Concept

References

https://wpscan.com/vulnerability/6220c7ef-69a6-49c4-9c56-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Dec 5, 2022
👾
Exploit known to exist
Dec 5, 2022
Vulnerability published
Dec 5, 2022
Vulnerability Reserved
Nov 3, 2022

Credit

Veshraj Ghimire

Wordpress

Badges

What is CVE-2022-3846?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V3.1

Timeline

Credit